How are you fixed for security? Really? You say your antivirus software is up to date? Firewall is humming along nicely? Employees are scrupulous about changing passwords and not sharing them? That's great, but you're still wide open to threats and intrusion. Not only that, but a bunch of hackers recently held a convention to talk about just how to exploit the holes in your system. In Las Vegas in August Black Hat Briefings brought out the sort of hackers we shouldn't necessarily fear--hordes of security industry professionals--to confer with so-called white hat hackers, old-school technologists who look for oversights and vulnerabilities to understand how things work and how to improve them. Black Hat, a security think-tank founded in 1997 by former hacker and Black Hat CEO Jeff Moss (Moss's nom de hack? Dark Tangent), sponsors briefings and training sessions to teach IT security professionals, investigators, and application designers the ins and outs of what real black hats look for when trying to manipulate data systems for criminal or malicious purposes.
"The average IT and security professional didn't have exposure to the underground community," says Dominique Brezinski, resident technologist with Black Hat. "Black Hat was created to introduce them to hackers in the original sense, explorers who want to see what makes technology tick, and bring their concepts and thought processes to government and business."
The increasing complexity of applications and operating systems is responsible for the number of ways the bad guys can get in, Brezinski says. "The more code you write, the more likely it is that something has been overlooked. And the more software you have, the broader an attack surface you present, with more exploitable bugs." This vulnerability extends to every aspect of a network. "Antivirus software and other enterprise apps are very complex and therefore vulnerable, sometimes even more so than the systems they're supposed to defend." To minimize vulnerability, Brezinski recommends removing or disabling unnecessary software, but also believes user education is key. "Phishing has actually done a good thing," he says. "Now, even the average user knows an email might not be from the source it claims to be."

The way companies do business also exposes them to danger, says conference attendee Justin Bingham, CTO of security solutions vendor Intrusic. "One thing that's constantly overlooked is that real vulnerability doesn't have as much to do with software as some people think," Bingham says. Trusted path exploitation, he explains, is one of the main tactics of real, criminal hackers: taking advantage of applications used to communicate with partners and customers to get inside the firewall. "Companies think they're secure behind the standard security measures deployed at the edges of the organization, but then they have things like VPNs, which are built to allow outside access to the system. And they encourage workers to reach out to others through third-party services. Hackers leverage holes in these systems to get access to your data." Once they do that, Bingham says, "hackers don't have to actively attack you anymore; they establish credentials on your network and act like any other user."
So what can systems administrators do to prevent exposure? "These sorts of exploits are very tough to prevent, almost impossible," Bingham says. "The attackers are leveraging things you put in place to improve your business. They're good things, and companies can't get rid of them even if they wanted to." The solution is vigilance combined with technology to detect strange behavior within the system instead of outside it. "Hackers are at a disadvantage once they get inside your system. They don't understand the environment because they don't work there. They utilize resources in different ways, do things that are out of bounds, and poke around trying to learn what they can. With the right tools you can detect this kind of activity and shut it down."